DOCSLIB.ORG

Christiana Mavroyiakoumou Introduction Some Useful Definitions Choosing B the Basic Quadratic Sieve Algorithm Plots of B-Smooth

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Christiana Mavroyiakoumou Introduction Some Useful Definitions Choosing B the Basic Quadratic Sieve Algorithm Plots of B-Smooth Optimising the Quadratic Sieve Christiana Mavroyiakoumou Introduction The basic Quadratic Sieve algorithm Sieving step The quadratic sieve is an integer fac- The idea is that for x, y with x 6≡ ±y (mod n) such that A variation of the Sieve of Eratosthenes instead of torisation algorithm created in 1981 2 2 x ≡ y (mod n), a non-trivial factor of n can be ob- trial division is used to make the sieving step faster. by Carl Pomerance. It is the second choice of B initialisation 2 tained via gcd(x ± y; n). This gcd is found by Euclid’s Divide x (mod n) by each of the primes in the fac- fastest algorithm known to date and algorithm and the probability of the corresponding fac- tor base and its powers. All the B-smooth numbers can be used to factorise numbers up 1 tor being non-trivial is at least 2 . will be reduced to 1. to around 120 digits. Its runtime is And again this can be improved further using loga- sub-exponential. 1. Choose B. rithms which handle smaller numbers. sieving 2. Form the factor base consisting of primes p ≤ B Some Useful Definitions for which the Legendre symbol equals to 1. Symmetric Sieving A quadratic residue (mod n) is a number a such that p 3. Start with x = d ne. Make an array of x2 mod p A symmetric sieve stays in a closer distance to d ne x2 ≡ a (mod n) linear n, (x + 1)2 mod n, (x + 2)2 mod n, . and sieve trivial until the matrix is full. A sieve just above or just be- algebra for B-smooth numbers. Do this until a subset of at p factor low needs to go further away from d ne to find the has a solution for a; n 2 N coprime. least d + 1 smooth numbers is formed (to ensure a1 a2 ak last B-smooth numbers. If the prime decomposition of n is p1 p2 : : : pk , linear dependency), where d is the dimension of This is not good because numbers get harder to fac- then the exponent vector, v, is the vector the factor base. tor and B-smooth numbers get rare. (a1; a2; : : : ; ak). For an odd prime p, the Legendre Symbol is defined factorisation 4. Form a matrix with its columns being the expo- as nent vectors of each B-smooth number mod 2. Using Logarithms 8 1 n (mod p) 5. Compute the kernel mod 2 with Gauss’s method. n < if is a quadratic residue The most time-consuming step is sieving, since it = −1 if n is a non-residue (mod p) A kernel vector combines the congruences in can be required to check a very large set of numbers p : non-trivial 0 if n ≡ 0 (mod p) such a way as to give even exponents, thus a so- to see if they are B-smooth. Using approximations of factor x2 ≡ y2 n lution of (mod ). the logarithms of each prime being sieved, makes An integer n is B-smooth if all its prime factors are the sieving step more efficient. less than or equal to B. The quadratic sieve searches 6. Calculate x = x1x2 : : : xd mod n and p 2 2 2 The advantage of the method is that we save time for B-smooth numbers. stop y = (x1 − n)(x2 − n) ::: (xd − n) mod n. by performing a subtraction instead of a division. n a = gcd(x ± y; n) Choosing B 7. The non-trivial factors of are . Choosing B implies a tradeoff: a small B facilitates Large Prime Variations checking if a number is B-smooth, but makes it un- Plots of B-smooth numbers In practice, it often occurs that congruences are al- likely to find any. A large B increases the chance most B-smooth except having one larger prime fac- of finding B-smooth numbers but at the same time tor, and therefore can’t be used in the sieve. These factorising each number becomes harder. Heuristic numbers are stored in hope of being matched with analysis showed that the bestp choice for the smooth- another number having the same large prime factor, ( 1 lnn lnlnn) ness bound B is about e 2 . thus completing the square. The probability of numbers in the list having the Legendre Symbol same pair of large primes is analogous to the birth- day paradox. It says that in a group of 23 people, The Legendre Symbol is computed using Euler’s cri- at least two of them have the same birthday with terion: n probability of more than 50%. ≡ n(p−1)=2 (mod p) p If the Legendre Symbol for a prime is 1 then in- References clude this prime in the factor base. Since primes giv- Parameters: [1] Richard Crandall and Carl Pomerance A Computational Per- ing −1 do not appear in the factorisations, discard spective. Springer, 2005. n = 4108131370631997507088207501257298124693 them. About 50% of the primes satisfy the condi- [2] Stephani Lee Garrett On the Quadratic Sieve. 2008. B = 25458. tion: checking for less prime factors makes the siev- [3] Carl Pomerance Smooth numbers and the quadratic sieve. Used Legendre for factor base but not large prime variation and the sieve method was logs with cutoff 20. 2008. ing step faster. [4] Carl Pomerance A tale of two sieves. 1996..
Load more

Recommended publications
  • Fast Generation of RSA Keys Using Smooth Integers
    1 Fast Generation of RSA Keys using Smooth Integers Vassil Dimitrov, Luigi Vigneri and Vidal Attias Abstract—Primality generation is the cornerstone of several essential cryptographic systems. The problem has been a subject of deep investigations, but there is still a substantial room for improvements. Typically, the algorithms used have two parts – trial divisions aimed at eliminating numbers with small prime factors and primality tests based on an easy-to-compute statement that is valid for primes and invalid for composites. In this paper, we will showcase a technique that will eliminate the first phase of the primality testing algorithms. The computational simulations show a reduction of the primality generation time by about 30% in the case of 1024-bit RSA key pairs. This can be particularly beneficial in the case of decentralized environments for shared RSA keys as the initial trial division part of the key generation algorithms can be avoided at no cost. This also significantly reduces the communication complexity. Another essential contribution of the paper is the introduction of a new one-way function that is computationally simpler than the existing ones used in public-key cryptography. This function can be used to create new random number generators, and it also could be potentially used for designing entirely new public-key encryption systems. Index Terms—Multiple-base Representations, Public-Key Cryptography, Primality Testing, Computational Number Theory, RSA ✦ 1 INTRODUCTION 1.1 Fast generation of prime numbers DDITIVE number theory is a fascinating area of The generation of prime numbers is a cornerstone of A mathematics. In it one can find problems with cryptographic systems such as the RSA cryptosystem.
    [Show full text]
  • Sieving for Twin Smooth Integers with Solutions to the Prouhet-Tarry-Escott Problem
    Sieving for twin smooth integers with solutions to the Prouhet-Tarry-Escott problem Craig Costello1, Michael Meyer2;3, and Michael Naehrig1 1 Microsoft Research, Redmond, WA, USA fcraigco,[email protected] 2 University of Applied Sciences Wiesbaden, Germany 3 University of W¨urzburg,Germany [email protected] Abstract. We give a sieving algorithm for finding pairs of consecutive smooth numbers that utilizes solutions to the Prouhet-Tarry-Escott (PTE) problem. Any such solution induces two degree-n polynomials, a(x) and b(x), that differ by a constant integer C and completely split into linear factors in Z[x]. It follows that for any ` 2 Z such that a(`) ≡ b(`) ≡ 0 mod C, the two integers a(`)=C and b(`)=C differ by 1 and necessarily contain n factors of roughly the same size. For a fixed smoothness bound B, restricting the search to pairs of integers that are parameterized in this way increases the probability that they are B-smooth. Our algorithm combines a simple sieve with parametrizations given by a collection of solutions to the PTE problem. The motivation for finding large twin smooth integers lies in their application to compact isogeny-based post-quantum protocols. The recent key exchange scheme B-SIDH and the recent digital signature scheme SQISign both require large primes that lie between two smooth integers; finding such a prime can be seen as a special case of finding twin smooth integers under the additional stipulation that their sum is a prime p. When searching for cryptographic parameters with 2240 ≤ p < 2256, an implementation of our sieve found primes p where p + 1 and p − 1 are 215-smooth; the smoothest prior parameters had a similar sized prime for which p−1 and p+1 were 219-smooth.
    [Show full text]
  • Sieving by Large Integers and Covering Systems of Congruences
    JOURNAL OF THE AMERICAN MATHEMATICAL SOCIETY Volume 20, Number 2, April 2007, Pages 495–517 S 0894-0347(06)00549-2 Article electronically published on September 19, 2006 SIEVING BY LARGE INTEGERS AND COVERING SYSTEMS OF CONGRUENCES MICHAEL FILASETA, KEVIN FORD, SERGEI KONYAGIN, CARL POMERANCE, AND GANG YU 1. Introduction Notice that every integer n satisfies at least one of the congruences n ≡ 0(mod2),n≡ 0(mod3),n≡ 1(mod4),n≡ 1(mod6),n≡ 11 (mod 12). A finite set of congruences, where each integer satisfies at least one them, is called a covering system. A famous problem of Erd˝os from 1950 [4] is to determine whether for every N there is a covering system with distinct moduli greater than N.In other words, can the minimum modulus in a covering system with distinct moduli be arbitrarily large? In regards to this problem, Erd˝os writes in [6], “This is perhaps my favourite problem.” It is easy to see that in a covering system, the reciprocal sum of the moduli is at least 1. Examples with distinct moduli are known with least modulus 2, 3, and 4, where this reciprocal sum can be arbitrarily close to 1; see [10], §F13. Erd˝os and Selfridge [5] conjectured that this fails for all large enough choices of the least modulus. In fact, they made the following much stronger conjecture. Conjecture 1. For any number B,thereisanumberNB,suchthatinacovering system with distinct moduli greater than NB, the sum of reciprocals of these moduli is greater than B. A version of Conjecture 1 also appears in [7].
    [Show full text]
  • Factoring Integers with a Brain-Inspired Computer John V
    IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—I: REGULAR PAPERS 1 Factoring Integers with a Brain-Inspired Computer John V. Monaco and Manuel M. Vindiola Abstract—The bound to factor large integers is dominated • Constant-time synaptic integration: a single neuron in the by the computational effort to discover numbers that are B- brain may receive electrical potential inputs along synap- smooth, i.e., integers whose largest prime factor does not exceed tic connections from thousands of other neurons. The B. Smooth numbers are traditionally discovered by sieving a polynomial sequence, whereby the logarithmic sum of prime incoming potentials are continuously and instantaneously factors of each polynomial value is compared to a threshold. integrated to compute the neuron’s membrane potential. On a von Neumann architecture, this requires a large block of Like the brain, neuromorphic architectures aim to per- memory for the sieving interval and frequent memory updates, form synaptic integration in constant time, typically by resulting in O(ln ln B) amortized time complexity to check each leveraging physical properties of the underlying device. value for smoothness. This work presents a neuromorphic sieve that achieves a constant-time check for smoothness by reversing Unlike the traditional CPU-based sieve, the factor base is rep- the roles of space and time from the von Neumann architecture resented in space (as spiking neurons) and the sieving interval and exploiting two characteristic properties of brain-inspired in time (as successive time steps). Sieving is performed by computation: massive parallelism and constant time synaptic integration. The effects on sieving performance of two common a population of leaky integrate-and-fire (LIF) neurons whose neuromorphic architectural constraints are examined: limited dynamics are simple enough to be implemented on a range synaptic weight resolution, which forces the factor base to be of current and future architectures.
    [Show full text]
  • On Distribution of Semiprime Numbers
    ISSN 1066-369X, Russian Mathematics (Iz. VUZ), 2014, Vol. 58, No. 8, pp. 43–48. c Allerton Press, Inc., 2014. Original Russian Text c Sh.T. Ishmukhametov, F.F. Sharifullina, 2014, published in Izvestiya Vysshikh Uchebnykh Zavedenii. Matematika, 2014, No. 8, pp. 53–59. On Distribution of Semiprime Numbers Sh. T. Ishmukhametov* and F. F. Sharifullina** Kazan (Volga Region) Federal University, ul. Kremlyovskaya 18, Kazan, 420008 Russia Received January 31, 2013 Abstract—A semiprime is a natural number which is the product of two (possibly equal) prime numbers. Let y be a natural number and g(y) be the probability for a number y to be semiprime. In this paper we derive an asymptotic formula to count g(y) for large y and evaluate its correctness for different y. We also introduce strongly semiprimes, i.e., numbers each of which is a product of two primes of large dimension, and investigate distribution of strongly semiprimes. DOI: 10.3103/S1066369X14080052 Keywords: semiprime integer, strongly semiprime, distribution of semiprimes, factorization of integers, the RSA ciphering method. By smoothness of a natural number n we mean possibility of its representation as a product of a large number of prime factors. A B-smooth number is a number all prime divisors of which are bounded from above by B. The concept of smoothness plays an important role in number theory and cryptography. Possibility of using the concept in cryptography is based on the fact that the procedure of decom- position of an integer into prime divisors (factorization) is a laborious computational process requiring significant calculating resources [1, 2].
    [Show full text]
  • Primality Testing and Sub-Exponential Factorization
    Primality Testing and Sub-Exponential Factorization David Emerson Advisor: Howard Straubing Boston College Computer Science Senior Thesis May, 2009 Abstract This paper discusses the problems of primality testing and large number factorization. The first section is dedicated to a discussion of primality test- ing algorithms and their importance in real world applications. Over the course of the discussion the structure of the primality algorithms are devel- oped rigorously and demonstrated with examples. This section culminates in the presentation and proof of the modern deterministic polynomial-time Agrawal-Kayal-Saxena algorithm for deciding whether a given n is prime. The second section is dedicated to the process of factorization of large com- posite numbers. While primality and factorization are mathematically tied in principle they are very di⇥erent computationally. This fact is explored and current high powered factorization methods and the mathematical structures on which they are built are examined. 1 Introduction Factorization and primality testing are important concepts in mathematics. From a purely academic motivation it is an intriguing question to ask how we are to determine whether a number is prime or not. The next logical question to ask is, if the number is composite, can we calculate its factors. The two questions are invariably related. If we can factor a number into its pieces then it is obviously not prime, if we can’t then we know that it is prime. The definition of primality is very much derived from factorability. As we progress through the known and developed primality tests and factorization algorithms it will begin to become clear that while primality and factorization are intertwined they occupy two very di⇥erent levels of computational di⇧culty.
    [Show full text]
  • Factorization Techniques, by Elvis Nunez and Chris Shaw
    FACTORIZATION TECHNIQUES ELVIS NUNEZ AND CHRIS SHAW Abstract. The security of the RSA public key cryptosystem relies upon the computational difficulty of deriving the factors of a partic- ular semiprime modulus. In this paper we briefly review the history of factorization methods and develop a stable of techniques that will al- low an understanding of Dixon's Algorithm, the procedural basis upon which modern factorization methods such as the Quadratic Sieve and General Number Field Sieve algorithms rest. 1. Introduction During this course we have proven unique factorization in Z. Theorem 1.1. Given n, there exists a unique prime factorization up to order and multiplication by units. However, we have not deeply investigated methods for determining what these factors are for any given integer. We will begin with the most na¨ıve implementation of a factorization method, and refine our toolkit from there. 2. Trial Division p Theorem 2.1. There exists a divisor of n; a such that 1 > a ≤ n. Definition 2.2. π(n) denotes the number of primes less than or equal to n. Proof. Suppose bjn and b ≥ p(n) and ab = n. It follows a = n . Suppose p p p p b pn b = n, then a = n = n. Suppose b > n, then a < n. By theorem 2.1,p we can find a factor of n by dividing n by the numbers in the range (1; n]. By theorem 1.1, we know that we can express n as a productp of primes, and by theorem 2.1 we know there is a factor of npless than n.
    [Show full text]
  • Integer Sequences
    UHX6PF65ITVK Book > Integer sequences Integer sequences Filesize: 5.04 MB Reviews A very wonderful book with lucid and perfect answers. It is probably the most incredible book i have study. Its been designed in an exceptionally simple way and is particularly just after i finished reading through this publication by which in fact transformed me, alter the way in my opinion. (Macey Schneider) DISCLAIMER | DMCA 4VUBA9SJ1UP6 PDF > Integer sequences INTEGER SEQUENCES Reference Series Books LLC Dez 2011, 2011. Taschenbuch. Book Condition: Neu. 247x192x7 mm. This item is printed on demand - Print on Demand Neuware - Source: Wikipedia. Pages: 141. Chapters: Prime number, Factorial, Binomial coeicient, Perfect number, Carmichael number, Integer sequence, Mersenne prime, Bernoulli number, Euler numbers, Fermat number, Square-free integer, Amicable number, Stirling number, Partition, Lah number, Super-Poulet number, Arithmetic progression, Derangement, Composite number, On-Line Encyclopedia of Integer Sequences, Catalan number, Pell number, Power of two, Sylvester's sequence, Regular number, Polite number, Ménage problem, Greedy algorithm for Egyptian fractions, Practical number, Bell number, Dedekind number, Hofstadter sequence, Beatty sequence, Hyperperfect number, Elliptic divisibility sequence, Powerful number, Znám's problem, Eulerian number, Singly and doubly even, Highly composite number, Strict weak ordering, Calkin Wilf tree, Lucas sequence, Padovan sequence, Triangular number, Squared triangular number, Figurate number, Cube, Square triangular
    [Show full text]
  • Prime Factorization and Cryptography a Theoretical Introduction to the General Number Field Sieve
    Prime Factorization and Cryptography A theoretical introduction to the General Number Field Sieve Barry van Leeuwen University of Bristol 10 CP Undergraduate Project Supervisor: Dr. Tim Dokchitser February 1, 2019 Acknowledgement of Sources For all ideas taken from other sources (books, articles, internet), the source of the ideas is mentioned in the main text and fully referenced at the end of the report. All material which is quoted essentially word-for-word from other sources is given in quotation marks and referenced. Pictures and diagrams copied from the internet or other sources are labelled with a reference to the web page,book, article etc. Signed: Barry van Leeuwen Dated: February 1, 2019 Abstract From a theoretical puzzle to applications in cryptography and computer sci- ence: The factorization of prime numbers. In this paper we will introduce a historical retrospect by observing different methods of factorizing primes and we will introduce a theoretical approach to the General Number Field Sieve building from a foundation in Algebra and Number Theory. We will in this exclude most considerations of efficiency and practical im- plementation, and instead focus on the mathematical background. In this paper we will introduce the theory of algebraic number fields and Dedekind domains and their importance in understanding the General Number Field Sieve before continuing to explain, step by step, the inner workings of the General Number Field Sieve. Page 1 of 73 Contents Abstract 1 Table of contents 2 1 Introduction 3 2 Prime Numbers and the Algebra of Modern Cryptography 5 2.1 Preliminary Algebra and Number Theory .
    [Show full text]
  • QUASI-AMICABLE NUMBERS ARE RARE 1. Introduction Let S(N
    QUASI-AMICABLE NUMBERS ARE RARE PAUL POLLACK Abstract. Define a quasi-amicable pair as a pair of distinct natural numbers each of which is the sum of the nontrivial divisors of the other, e.g., f48; 75g. Here nontrivial excludes both 1 and the number itself. Quasi-amicable pairs have been studied (primarily empirically) by Garcia, Beck and Najar, Lal and Forbes, and Hagis and Lord. We prove that the set of n belonging to a quasi-amicable pair has asymptotic density zero. 1. Introduction P Let s(n) := djn;d<n d be the sum of the proper divisors of n. Given a natural number n, what can one say about the aliquot sequence at n defined as n; s(n); s(s(n));::: ? From ancient times, there has been considerable interest in the case when this sequence is purely periodic. (In this case, n is called a sociable number; see Kobayashi et al. [11] for some recent results on such numbers.) An n for which the period is 1 is called perfect (see sequence A000396), and an n for which the period is 2 is called amicable (see sequence A063990). In the latter case, we call fn; s(n)g an amicable pair. − P Let s (n) := djn;1<d<n d be the sum of the nontrivial divisors of the natural number n, where nontrivial excludes both 1 and n. According to Lal and Forbes [12], it was Chowla who suggested studying quasi-aliquot sequences of the form n; s−(n); s−(s−(n));::: . Call n quasi-amicable if the quasi-aliquot sequence starting from n is purely periodic of period 2 (see sequence A005276).
    [Show full text]
  • Beurling Generalized Numbers
    Mathematical Surveys and Monographs Volume 213 Beurling Generalized Numbers Harold G. Diamond Wen-Bin Zhang (Cheung Man Ping) American Mathematical Society https://doi.org/10.1090//surv/213 Beurling Generalized Numbers Mathematical Surveys and Monographs Volume 213 Beurling Generalized Numbers Harold G. Diamond Wen-Bin Zhang (Cheung Man Ping) American Mathematical Society Providence, Rhode Island EDITORIAL COMMITTEE Robert Guralnick Benjamin Sudakov Michael A. Singer, Chair Constantin Teleman MichaelI.Weinstein 2010 Mathematics Subject Classification. Primary 11N80. For additional information and updates on this book, visit www.ams.org/bookpages/surv-213 Library of Congress Cataloging-in-Publication Data Names: Diamond, Harold G., 1940–. Zhang, Wen-Bin (Cheung, Man Ping), 1940– . Title: Beurling generalized numbers / Harold G. Diamond, Wen-Bin Zhang (Cheung Man Ping). Description: Providence, Rhode Island : American Mathematical Society, [2016] | Series: Mathe- matical surveys and monographs ; volume 213 | Includes bibliographical references and index. Identifiers: LCCN 2016022110 | ISBN 9781470430450 (alk. paper) Subjects: LCSH: Numbers, Prime. | Numbers, Real. | Riemann hypothesis. | AMS: Number theory – Multiplicative number theory – Generalized primes and integers. msc Classification: LCC QA246 .D5292 2016 | DDC 512/.2–dc23 LC record available at https://lccn.loc.gov/2016022110 Copying and reprinting. Individual readers of this publication, and nonprofit libraries acting for them, are permitted to make fair use of the material, such as to copy select pages for use in teaching or research. Permission is granted to quote brief passages from this publication in reviews, provided the customary acknowledgment of the source is given. Republication, systematic copying, or multiple reproduction of any material in this publication is permitted only under license from the American Mathematical Society.
    [Show full text]
  • Turbulent Candidates” That Note the Term 4290 Shown in Light Face Above Is in A(N), but Must Be Tested Via the Regular Counting Function to See If the Not in A244052
    Working Second Draft TurbulentMichael Thomas Candidates De Vlieger Abstract paper involve numbers whose factors have multiplicities that never approach 9, we will simply concatenate the digits, thus rendering This paper describes several conditions that pertain to the 75 = {0, 1, 2} as “012”. appearance of terms in oeis a244052, “Highly regular numbers a(n) defined as positions of records in a010846.” The sequence In multiplicity notation, a zero represents a prime totative q < is arranged in “tiers” T wherein each member n has equal values gpf(n) = a006530(n), the greatest prime factor of n. Indeed the multiplicity notation a054841(n) of any number n does not ex- ω(n) = oeis a001221(n). These tiers have primorials pT# = oeis a002110(T) as their smallest member. Each tier is divided into press the infinite series of prime totatives q > gpf(n). We could also write a054841(75) = 01200000…, with an infinite number of “levels” associated with integer multiples kpT# with 1 ≤ k < p(T + zeroes following the 2. Because it is understood that the notation 1). Thus all the terms of oeis a060735 are also in a244052. Mem- bers of a244052 that are not in a060735 are referred to as “turbu- “012” implies all the multiplicities “after” the 2 are 0. lent terms.” This paper focuses primarily on the nature of these Regulars. Consider two positive nonzero integers m and n. The terms. We give parameters for their likely appearance in tier T as number m is said to be “regular to” or “a regular of” n if and only if well as methods of efficiently constructing them.
    [Show full text]